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To show S2 Analysts how to use XKS to 
enable TAO operations 



The material covers some of the more 
common searches in XKS, and shows you 
how to retrieve valuable SIGINT data that 
S3/TAO finds useful to exploit a target 



It’s NOT designed to teach you about TAO 
(there are many other briefings for that) 
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What TAO needs from analysts 
TELNET Sessions in XKS 



j Identifying Browers 
Web Forum Logins / Passwords 
Webmail Logins / Passwords 









TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 









What TAO needs from analysts 
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W< il 
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Network Information 



■ Logins and Passwords 

■ Router configuration information 



Software Information 

■ Browser 

■ Version Numbers 



■ Operating Systems 





NOTE: If target device is under a satellite hop, please 
consult your TAO Liaison on how to proceed. 
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Network Information 

We target TELNET, FTP, etc for logins and passwords 



Use a LOGIN and PASSWORD QUERY “TO ports of interest 
(21, 23, 110, 69, etc) 



WEBMAIL logins and passwords 

Use LOGIN and PASSWORD QUERY “TO’ ports of interest 
(80, 3000, 8080) DO NOT use the login/password you find to 
log in as your target in Airgap. Ever. Just record them and pass 
to TAO. 

Router configuration information 

Use “Full Log DNI query” FROM port 23 and “From” IP of 
interest 
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We Get That? 





Software Information 

Browsers 

Use HTTP Activity Query and results are in the 
“browser” field 



:■ Servers 

Use HTTP Activity: HTTP “Response” traffic 
contains web server information 

■ Operating Systems or Version Numbers 

Using FULL LOG DNI we can do “Banner Grabbing” 
on content FROM port 23 and FROM the target’s IP 
address 
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ii TELNET Sessions in XKS 
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Administrator attempts to reach remote host using Telnet 



From Port 3434 



“Telnet 202 



► To Port 23 



_ - — — From Port 23 

To Port 3434 “Welcome to xyz router, 

Apache 2.0 - Please 

enter Login & Password” 

From Port 3434 ^ To Port 23 

Username: Admin 

Password: Admin" 



- !■■■ ■■■■ ■■■ ■■■ From Port 23 

To Port 3434 “Here’s your router 

configuration information 
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Administrator attempts to reach remote host using Telnet 




1 . 1 



From Port 3434 



“Telnet 202 




► To Port 23 



I 



o 



To Port 3434 



◄ 



Let’s make a query 
and target this traffic! 



“Welcome to xyz router, 
Apache 2.0 - Please 
enter Login & Password” 



From Port 23 



From Port 3434 




“Username: Admin 
Password: Admin" 



► To Port 23 




To Port 3434 






Here’s your router 
configuration information 



From Port 23 
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Justification: 

Additional Justification : 
Miranda Number: 

Datetime: 




1 Week 


■V 


Start : 


2009-07-09 


1 0 




00:00 


A 

'‘'V' 


Stop : 


2009-C 



This is the 
router’s IP 
address for 
which you’re 
trying to gain 
access (mail 
server maybe?) 



Client IP; 



Use rn a rn e : 



3 1 1 ri b u t e In no : 




f Populate with Fiel 



IP Address: 



21 3 . 



Fro 



IP Address 



To 



Port: 



23 



Fro 
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“Welcome to xyz router, 
Apache 2.0 - Please 
enter Login & Password 



From Port 23 




5 ? 






Session 



of 431-4 m > rtyji 



Datetime 



Case Notation 



From IP 



2009-07-11 15:12:30 2 £ !3 i 'OOCOOM 0 G Cd 213 





(D Saudi Arabia) 212 



Session 


Header (3) Meta (6) 




■j ■ t . , "-Th-- ~'-mJ 


AUTO 


V' 


i gig L jjf w‘&ii jS'lifrlr 1 i ^ e ^ = ^ tQ I bL w ' l : l^jg J r'M f ’PV fI nfn'i 5f *- U jlalw 


1= nte r te in search 



Quick Clicks 






AUTO FORMATTER: app_id = terminal/telnet/from_server( port23) Viewer= ASCII formatter. Info= 



Session 



une-Uick searches 



Find opposite side of sess 
213,^^^^|:23 -> 



2 12 . 1 
FinS traffic on 
212 
213, | 

Find application 

te rm i nal/te Inet/f rom_^e 
Find fingerprint 

m i s c/ n et w o r k / co nf i g u ra ■ 
Find email address 



Cisco Router and Security Device Manager (SDK) is installed on this device. 

This feature requires the one-time U3e of the username "cisco" 

with the pass-word "cisco". The default username and password have a privilege level of 15 




P lease change, LliCJL'l publicly known 
Here JHrf the Cisco 103 commands; 



credentials using SEH or the 103 CL I. 



username <myuser> privilege 15 secret 0 <rnypassword> 
no username cisco 

Re place <m y us e r > and <my p as 3 wo r d> with the us e r n am e a nj/ password you want to use 

n. 

FoiT'Twqre information atoout SDM please follow thg^Tnst ructions in the QUICK START 
GUI D E f olT'V&ur^rputer or go to http : / / wwifrrrfs co.c om/ go / s oil u 




User Access Verification 

ITsernane: isp 

P as s wo r d : 
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“Welcome to xyz router, 
Apache 2.0 - Please 
enter Login & Password” 



From Port 23 




Datetirrie 



Case Notation 



From TP 



To IP 



2009 - 07- 11 04 : 22:46 125 



(^1 China) 



200 




Cuba) 



Session 



Header (d) Meta 





-jy] ' i 



J 



Enter text to se 



Quick Clicks 



« 



AUTO FORMATTER: app_id= termmal/telnet/from_server(port23) Viewer* ASCII format 



Session 

a Ik 




One -Click Searches 



Find opposite side of sess 
125. 

200 . 

Find traffic on 

125 

Find application 

terminal/telnet/from_se 



fl- It 

* I AD 2 000 Integrated Access Device * 

dr dr 

rrAArrAArrATi-rrAArrAArrATi-rrAArrAArrAArrAArrAArrAArrAArrAA 

Copyright 2002— 2005 Huawe i Technology- Co. r Ltd 

L oc at ion Name : 

Phono N umb e r : 



User name (<=I 5 chars) : 
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Datetime 


Case Natation 


From IP 


To IP 


From Port 


To Port 



2009-07-12 23:59:33 ?: J 22$:JLZ 1 6 1 




(■ China) 



200 



(E Cuba) 



23 



2541 



Session 



Header m) lei fH 




Quick Clicks 



Session 



One -Click Searches 



3 Find opposite side of sees 

-> 

2QQ 

3 Find traffic on 



3 Find application 

term i na l/te I n et/f rem_s e 



# 
£ 
# 
U 
£ 
# 
# 

UMnMmuumuMmumunMmumuuMmumnnMmumuuMmumnMmumuumm 

Login : 



n 

# 

n 

n 

# 

# 

# 



Ilel come to ZTE Full Service Access Plat. form 
Press Return to get started 
Copyright 2005-2009 , ZTE Co., Ltd. 
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Datetime 


Case Notation 


From IP 


To IP 


From Port 


To Port 



2009 - 07-13 19 : 36:52 



(E Cuba) 




(B China) 



23 



44710 TCP 



i »- 

Session 


Fleader ( 3 ) 


Meta ( 4 ) 


■ 


l 


AUTO 


v ^ 






™ B n't: :icr ;B | 


be a rcn Luh re fit : 


Enter text to search 


Quick Clicks 


\« | 


AUTO FORMATTER: app jd= teririinal/telnet/from_server(port 23 ) Viewer= ASCII formatter, 



Session 

3^ 

d 



One -Click Searches 



Find opposite side ofsess 

200^^^^H23_> 

Find fingerprint 

sigdev/huawe 
m i s c/net wo rk / config u ra' 
Find traffic on 
210 

200^^^^| 

Find application 

termina l/tel net/frorn_se 



■ Copyright (c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved. * 

* Without the owner's prior written consent, * 

* no decompiling or reverse-engineering shall be allowed. * 



Login authentication 



Us e r name 
Us e r name 
Us e r name 
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Administrator attempts to reach remote host using Telnet 



From Port 3434 



“Telnet 202 



► To Port 23 



◄ 



From Port 23 



Let’s make a query 
and target this traffic! 



To Port 3434 “Welcome to xyz router, 

Apache 2.0 - Please 
enter Login & Password” 



I 



O 



From Port 3434 



“Username: Admin 
Password: Admin" 



► To Port 23 





To Port 3434 






Here’s your router 
configuration information 



From Port 23 
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Search: Logins and Passwords 



Query Name: 




Justification : 



Additional Justification: 
Miranda Number: 

Datetime : 



This is the 
router’s IP 
address for 
which you’re 



access (mail 
server maybe?) 



User N a rn e : 
Pass w o r d : 
D o rn a i n : 




1 Day 






Start : 



2009 - 07-14 






00:00 






Stop 



to gain 


IP A d d re s s : 






From 3 







IP Address: 




To 



Port : 



From vs 



Port : 



23 



To 



2009 
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From Port 3434 



“Username: Admin 
Password: Admin” 



► To Port 23 




Datetime 



Case Notation 



From IP 



2009-07-13 07:37:47 195 




i™ Yemen) 



To IP 
202 




(■ China) 



From Port To Po 



1047 



23 



Session 



Hi (3) Pleti (4) 









Quick Clicks 




4< 



AUTO FORMATTER: app_id= terminal/telnet/to_server(port23) Viewer^ ASCII form, 



V 



Session 



3 2 * 



One-Click Searches 



Find opposite side of sess 




USER 123 
PASS 321 
TYPE I 

PORT 195,219,37, 199, 4 r 24 



195 

202 

Find traffic on 
202 
19 5, | 

Find application 

terminal/telnet/to_servi 



KLj 1 .K ± ■ L!XL! 

: 2 QUIT 
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Administrator attempts to reach remote host using Telnet 



From Port 3434 



“Telnet 202. 



► To Port 23 
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□ I mmw 



gs 





Search: Full Log 



Query Name: 



Justification : 





Additional Justification: 



Miranda Number: 



V 



Datetime: 



Custom 



Start: 



2009 - 07-12 



□1 




21:00 


V 


Stop: 



2009 - 07-15 



Client IP: 



Username 



Attribute Info 



IP Address: 
IP Address: 
Port: 




23 



From your target’s IP 
From Port 23 
Greater than 500 bytes 



To 



From a 




TOP SECRET//GOMINT//REL TO USA, AUS, CAN, GBR, NZL 









Datetime 


Case Notation 


From IP 




To IP 




From Port 


2009-07-15 14:32:13 




73 HH 


|(S Iran) 




HiS Iran) 


23 




Session 



deader (3) Meta (5) 



ASCII 




Quick Clicks « 

Session 

3 Find □ocosite side of sess 
78 

19 i 

3 Find fingerprint 

fingerprintyrouter/ cisco/ 
rri i s c/n etw o rk/ co nf i g u ra 
fingerprintyrouter/ cisco 
Find t raffic on 
85 
78 

Find application 

te rrri i n a iyte I n et jf r o rri_s e 




nterface Ether netO 
no ip address 
shutdown 

nterface SerialO 
no ip address 
s hut do ism. 

clock rate 2015232 
no fair -queue 

.nterface Seriali 
no ip address 
shutdown 

clock rate 2015232 
no fair -queue 

--More-- 

no ip address 
shutdown 

clock rate 2015232 
no fair-queue 

.nterface Serial 3 
no ip address 
shutdown 

clock rate 2015232 
no fair -queue 



nterface Seriali: 15 

ip unnumbered FastEthernetO 

encapsulation ppp 

isdn su itch- type pu imary-net S 

nterface Serial2:15 
ip unnumbered FastEthernetO 
encapsulation ppp 





interface Serial2 



Many times will contain 
Access Control Lists (ACLs) 
- VERY important pieces of 
Intel. Copy/Paste out full 
Config... 











I GEE 1 DQP iEKPI 

iOGIiAMM 1*8010 ;i(®F LC1 j 




ssions in 

identifying Browsers 







,im L gins / Passwords 
Logins and Passwords 
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■ Why? 

TAO can exploit the browsers that lack 
strong security 
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*ent (Browser) pulls 

V / 



Search: HTTP Activity 




This query targets foreign-based targets visiting known Jihadi 
web forums to learn about what browsers they use. 



Query Name: 



Justification: 



web forum browsers 



targets visiting known jihadi 
web forums 



Additional Justification: 



Miranda Number: 



Datetime: 



HTTP Type: 



Host; 



Custom 



Start: 



2009 - 07-12 



o 



00:00 



Stop; 



2009 - 07-15 






or *hanein.info or *ansar1.net or *ansarnet.info 



21:59 



.Jk. 




*** | Populate with URL Field Builder ! 







] 




Browser: 0 

















Country: □ 


!U5 AND !GB AND !CA AND !NZ AND !AU 


■’V' 




Fror 


1 
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(let 


DJ 


106. 


yet 


SO 


106. 


yet 


PK 


121. 


yet 


AT 


80| 


yet 


ID 


125. 


yet 


LB 


77| 





yet 



yet 


XX 


10J 


yet 


PK 


116. 


yet 


DJ 




yet 


PK 


203. 


yet 


MY 


G0.| 


yet 


PK 


110. 




yet 

yet 

net 



MY GO. 

DJ 196. 



AT 



88 



www.alqimmali.net 

alqimmaii.net 

www.alqiinmali.net 

www.ashiyane.ery 

www.alqimmah.net 

hmiein.iiifo 

www.alliureya.ory 

www.al-faloja.info 

www.asliiyane.ory 

www.alqimmah.net 

www.alqiinmali.net 

www.alqiinmali.net 

www.alqimmah.net 

www.lianein.info 

www.iianein.info 

www.lianein.info 

www.alfaloja.info 

mum ~tI f-Tljiin inf a 



Mozilla-4.0 {compatible; MSIE 7.0; Windows NT 6.0; Mozilla/4.0 {compatible; MSIE 6.0; Windows NT 5.1; SV !) ; SLCC1; .NET 
Nokia2680s-2/1.0 (04.01) PiGfile.MIDP-2.1 Confiyuration/CLDC-1.1 
Mozilla-4.0 (compatibl e; MSIE 6.0; W indows NT 5.1; SV1; AskTB5.4) 

MozillaM.0 (compatibl e; MSIE 7.0; W indows NT 6.0; SLCCI; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; 
Mozillaj'5.0 (Windows; U; Windows HT 6.0; en-US; iyI. 9.0.11) Gecko, <200906921 5 F irefox, <3.0.1 1 
MozilM.O (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC 3.0; .NET CLR 1.0.3705; FDM; Creative AiMJpdal 
fflozilki'4.0 (compatible; MSIE ♦♦♦♦♦.«♦ ♦♦ 

MozilIRO (compatible; MSIE 6.0; Windows ♦♦♦♦♦♦♦♦!! NT 5.1; S’ 

Gpera/9.25 (Windows NT 5.1; U; en) 



Mozilla'4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCCI; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; 
Mozilla-4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) 

Mezilla-5.0 (Windows; U; Windows MT 5.1; en-US) AppleWebKit/525.10 (KHTML, like Gecko) Clirome/1.0.1506 Safari/525. 
Mozilla.i'5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version 0.1. 2 Safari, 5 
Mozilla-4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; ImageShack Toolbar 4.5.; 
MozilIRO (compatible; MSIE 6.0; Windows 
MozilIRO (compatible; 

MozilIRO (compatible; MSIE NT 5.1; Sv 

■MA J ilLnVJ rLJ^A l n.i J tilila!_Mgir ^r>Llflli l LJrL i;o HT £ I lAA & AAA A A.^S A .AAApAA Effr ♦ ♦ ♦ ♦& 2 ♦ ♦ VS 2 s V • 




This displays the 
located), their IP, 
browser 



From Country (where target is 
the website they visited, AND their 



6-002 186B9FB5D}; GTB6; SLCCI;, 
i.0.8 



"wmwunrrairiniTT 



ia{HiJSz A KiiQ*p&*miSMi 

lizm (cemikinnie: MSit o.n: winnows m !>. i: 'sv 1 : MMbAh=nttutm-ojyz - 1 IUE-847E-00158307C8DD1: .NET CLR 
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■m B 



Jji 



■ ■ 



-*i ii ■ ■! liTT? 7 -■* 
< Mi m *. 
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■ I I 



. [ ! I, 



Activity to 

U I I I ■ UL I ft. * ft I 



Browsers 



- 


HTTP Type 


Fm Cou 


Host 


Brow 


yet 


CN 


mefa.yov.ir 


Mozil 


yet 


XX 


www.mos.yov.ir 


Mozil 


yet 


IR 


w w w. k lieu .y ov.i r 


Mozil 


yet 


AE 


www.ndm.yov.ir 


Mozil 


yet 


PH 


edd.hehdashT.yov.il 


Mozil 


yet 


JP 


vsa. bel i < las 1 it .y ov.i r 


Mozil 


yet 


IR 


www.woinen.yov.ir 


Mozil 


post 


MX 


it.belHlasln.yov.ir 


Mozil 


yet 


IR 


www.khcu.yov.ii 


Mozil 


yet 


PK 


cms.mfa.yav.ir 


Mozil 


yet 


AE 


www.mlti.yov.ir 


Mozil 


yet 


IR 


www.khcu.yov.ir 


Mozil 


yet 


CH 


w w w. s til )t. y ov. ir 


Mozil 


yet 


IR 


www.woinen.yov.ir 


Mozil 


yet 


EU 


www2.refah.tjov.ir 


Mozil 


yet 


IR 


1ranspoit.irica.yov.ir 


Mozil 


yet 


PK 


www.mim.yov.ir 


Mozil 


yet 


IR 


www.womeii.yov.ir 


Mozil 




_1R 


w w w. r iiZiivi ni et.d ov.i r 


Mozil 



POP Quiz: 




Mozilki, s 4.0 (commit! 
Mozilki, 4.0 (compati 
Mozi lki:4.0 (compati 
Mozilki, s 4.0 (compati 
Mozilki, 4.0 (compati 
Mozilki'4.0 (compati 
Mozilki .4.0 (compati 
Mozilki, 4.0 (compati 
Mozilki, 4.0 (compati 
Mozilla 4.0 (compati 
Mozilki, 4.0 (commit! 
Mozilki, 4.0 (compati 
Mozilki, >4.0 (compati 
Mozilki, 4.0 (cominiti 
Mozilki, 4.0 (compati 
Mozilki, <4.0 (compati 
Mozilki. -4.0 (cominiti 
Mozilki, 4.0 (cominiti 
Mozilki 4.0 (cominiti 
04.0 (compati 
i 4.0 (cominiti 



Which browser are we seeing???? L'4.0 (cominiti 



yet 


PE — 


www.saiit.yov.il 


Mozilki, '4.0 (compatihle; MSIE 6.0: Windows NT 5.1; SV I; .MET CLR 2.0.50727; .NET CLR 3 


yet 


10 


www.mim.yov.ir 


Mozil la ,'4.0 (compatible; MSIE 6.0; Windows NT 5.1; SVI; .NET CLR2.0.50727; FDM) 




ip 


lAfiwiAJ 1 itid-n jnwii 


rulATillniJ. 0 Jd AiniuitililA- Tul^lF ft ll- Winrlm^Q NT ^ I- «Eluf1- HFT Cl R ? 0 ^07^7- InfnPath 30 



de; MSIE 6 .0: W indows NT 5 .1) 



Here’s another example where we 
t ar g e t ec ] people visiting *gov.ir 
m m websites 



lie; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
slo; MSIE 6.0; Windows NT 5.1 
lie; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
do; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
ile; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
do; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
de; MSIE 6.0; Windows NT 5.1 
do; MSIE 6.0; Windows NT 5.1 



SVI 

SVI 



FREE; .NET CLR 1.1.4322) 

GTB6; .NET CLR 3.0.04506.648; .NET i 
SVI) 

SV I; .NET CLR 1.0.3705; .NET CLR 1/ 
SVI; .NET CLR 1.1.4322) 

SVI; .NET CLR 1.1.4322; .NET CLR 2.( 
.NET CLR 1.1.4322; .NET CLR 2 A 
.NET CLR 1.1.4322; .NET CLR 2.( 
.NET CLR 1.1.4322; .NET CLR 2 A 
.NET CLR 1.1.4322; .NET CLR 2 A 
.NET CLR 1.1.4322; lnToPalh.2) 
.NET CLR 2.0.50727) 

.NET CLR 2.0.50727; .NET CLR 1 
.NET CLR 2.0.50727; .NET CLR 1 
.NET CLR 2.0.50727; NET CLR 1 
.NET CLR 2.0.50727; .NET CLR 3 
SV I; .NET CLR 2.0.50727; .NET CLR 3 



SVI 

SVI 

SVI 

SVI 

SVI 

SVI 
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HTTP Type 
yet 

get 

get 

get 

get 

get 

get 

post 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 



get 

CliPf 



Fm Cou Host 

CM niefa.yov.ir 

XX www.rnoe.yov.ir 

IR www.klicn.yov.ir 

AE www.mim.yov.ir 

PH edd.helidaslrt.yov.ir 

JP vsa.behdasbt.yov.ir 

IR www.women.yov.ir 

MX i. LeliilasliT.yov.il 

IR www.klicu.yov.ir 

PK cms.mfa.yov.ir 

AE www.mfa.yov.ir 

IR www.klicM.yov.ir 

CH www.Siibt.yov.ir 

IR www.women.yov.ir 

EU w w w2. r ef al l.yov.ir 

IR transport.! rica.yov.ir 

PK www.mim.yov.ir 

IR www.women.yov.ir 

IR www.razavimet.yov.ir 

PK www.mfa.yov.ir 

IQ www.mim.yov.ir 

IR w w w. s 1 10 I iada.yov.il 

DE www.salrt.yov.ir 







Mozilla 1 

Mozilla, 1 

Mozilla 1 

Mozilla/ 

Mozilla 1 

Mozilla; 

Mozilla 1 

Mozilla/ 

Mozilla, 1 

Mozilla; 

Mozilla 1 

Mozilla/ 

Mozilla 1 

Mozilla/ 

Mozilla 

Mozilla, 1 

Mozilla 1 

Mozilla, 1 

Mozilla 

Mozilla/ 

Mozilla 1 

Mozilla/ 

Mozilla 

±4 



4.0 ( 



4.0 (floin 
4 



4.0 ((cm 
4 



4.0 (4om 
4 



1.0 ( 



1.0 ( 



■Of 

.0 t 

■Of 

.0 t 
■0( 
,0 ( 
0( 
,0 ( 
■0( 



Mozilla 4.0 is NOT a bro 
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cm 



cm 



cm 

cm 

cm 

cm 

cm 

cm 

cm 

cm 

cm 



0 (i cm 



cm 

cm 

cm 

cm 

cm 

cm 

cm 
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pati 


>le 


pati 
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>le 
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pati 
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MSIE 0.0; 
MS IE 0.0; 
MS IE 6.0; 
MS IE 0.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 



Windows NT 5.1) 

Windows NT 5.1; .NET CLR 1.1.4322) 

Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2. 0.507: 
Windows NT 5.1; .NET CLR 2.0.50727) 

Windows NT 5.1; DiyExt) 

Windows NT 5.1; FREE; .NET CLR 1.1.4322) 



ut r j. as 



JL, I TT i" ■ r» r A ■ EJ 



MS IE 
MS IE 
MS IE tar, 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 
MS IE 6.0; 

MSIF 6 i'l- 



The browser is “MSIE 6.0” = 
Internet Explorer 6.0 



nrnmu , VY& m i i. i. .nn i_-i_rv i. 

Windows NT 5.1; SV1;" NET CLR 1.1.4322; .NET CLR2.( 
Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.( 
Windows NT 5.1; SV I; .NET CLR 1.1.4322; .NET CLR 2.* 
Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR2.f 
Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.( 
Windows NT 5.1; SV1; .NET CLR 1.1.4322; lnfoPatli.2) 
Windows NT 5.1; SV I; .NET CLR 2.0.50727) 

Windows NT 5.1; SV1; .NET CLR 2.0.50727; .MET CLR 1 
Windows NT 5.1; SV I; NET CLR 2.0.50727; .NET CLR 1 
Windows NT 5.1; SV1; .NET CLR 2.0.50727; .MET CLR 1 
Windows NT 5.1; SV I; .NET CLR 2.0.50727; .NET CLR 3 
Windows NT 5.1; SV1; .NET CLR 2.0.50727; .MET CLR 3 
Windows NT 5.1; SV I; .NET CLR 2.0.50727; .NET CLR 3 

Windows NT 5.1; SV I; .NET CLR 2.0.50727; FDM) 
A/indmiu^ IJT 5 1- SV1- NET Cl R 2 0 50727- Inf-bPa+h 2k 



TO USA, AUS, CAN, GBR, NZL 







Fm IP 

114 

114. 
217. 
202. 
W. 
103 
04.1 
81. 
61. 

72 
SO 
77 
87 

115 
SSl 
41 
85 
85 
80| 
103 
217 
80 
85| 
103 

7ft 







Fm Cou 

kr 

DR 

AT 

CH 

DE 

FR 

FR 

AT 

CH 

ML 

AE 

FR 

IT 

CH 

DE 

EC 

IR 

RU 

AT 

DE 

IR 

IR 

DE 

FR 

ip 



HTTP T 

yet 

(jet 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

get 

riat 



Host 

mine. mim. ()«v.ii 

www.minuiov.il 

www.mfa.gov.ir 

wemen.mim.yov.ir 

www.iiazvin.yov.ir 

www2.reftih.yov.ir 

www.icin.giov.ir 

www.miin.yov.ir 

www.moc.yov.ir 

www.saljt.yov.ir 

intl.m im.gov. ir 

www.ljelidaslit.gov.ir 

www.mefa.yov.ir 

www.mefa.yov.ir 

www.sabt.yov.ir 

in ii li n g stint eyy.i nil n.gov.ir 

www.irica.yov.ir 

www.rnefa.yov.ir 

www.nvfa.gov.ir 

www.moc.gov.ir 

mpokj.gw.ir 

www.ui Ii riz coiinmerce.gov.il 
sele cti Oil U lehdasl it. g ov.ir 
la woffi ce.molim e .gov.ir 



Browser 

Mo z ill a. 4 .ft (co m 1 1 afi I > I e ; M a v e rB ot/1 .ft ; http ://; n e I p . Oa ve r. co n i/ci isto m e iwe Ii t xt_02 .jsp) 



MOZ 

Moz 

Moz 

Moz 

Hoz 

Moz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 

Hoz 



lla/4.0 (compatible; NaverBot/1.0; http^/help.nayor.coifi/’delete.main.asp) 

Ila74.0 (compatible;) 
lla/5.0 

lla/5.0 (compatible; Google hot, '2.1; +littp:/jWww.yaogle.com^ot.lvtml)i 

lki.5» (compatible; Konqueror/3.5; Lii lira) D HTML/3.5.5 (like Gecko) (Exabol-Thiimb nails) 

lla/5.0 (con ipatible; M J 1 2hotv 1 .2.5 ; I lttpo'/w w w .majestic 1 2.co.nk bot.| >1 ip?+) 

lla/S.O (compatible; monitis.com - free monitoring soivico; I iftp:/; tnonitis.com) 

lla/5.0 (compatible; YodnoBoi/l.ft; I ittpi/.www.yoiidao.cornlielp.Wehi natter .''spider /; }. 

lla/5.0 (on-us) AppleWebKrt/525.13 (DHTML, like Gecko; Google Wireless Transcode r) Yersian/3.1 Safari/525.13 



lla. '5.0 (Macintosh 
lla/5.0 (Macintosh 
lla/5.0 (Macintosh 
lla/5.0 (Macintosh 



H; Intel Mac OS X 10_4_11; en) Ap|sleWebKiU525.1S (KHTNIL, like Gecko) Version 3. 1.2 Safari/525.2 
U; Intel Mac OS X 10_5_5;fi -fr) ApfileWehDit/525.18.1 (KHTML, like Gecko) Version/3. 1.2 Safari/52* 
LI; Intel Mac OS X 10_5_7; it-it) AppleWe b Kit/530. 1 8 (KHTML, like Gecko) Version/4.0.1 Safari/530. Ii 
U; Intel Mac OS X; zh-cn) ApuleWeliKff/523.15.1 (KHTML, like Gecko) Version^ .0.4 Safari/523.15 
Li; PPC Mac OS X 1 




lla. 5.0 (Macintosh 

lla/5.0 (SyiiihianOS/ft.2; H; Series60/3. 
lla/5.0 (SynihianOS/9.2; U; Series60/3.1 NokiaN95_8GB/3 1 .0.0 1 5; Pi el ite MID P-2.0 Coitfignratien.CLDC- 1.1 ) AimteWehl 
lla/5.0 (Windows; LI; Windows NT 5.1; ar; ml. 8-ft.11) Gecko; 2000060 



lla/5.0 (Windows; LI; Windows NT 5.1 
lla/5.0 (Windows; LI; Windows NT 5.1 
lla/5.0 (Windows; U; Windows NT 5.1 
lla/5.0 (Windows; LI; Windows NT 5.1 
lla/5.0 (Windows; U; Windows NT 5.1 



ar; ml .0.0.0) Gecko/20090408; 
tie; mO.1.13) Gecko/2008031 
en-GB; ml.9.0.11) Gecko;2009( 
en-HS) AppleWeUKit/52 5.19 (KF 
en-HS) AppleWel>Kit/528.8 (KH 



15Firef0K;3.Q.11 
1 Firefox/3.0.9 

FirefoK.2.0.0.13 (.HET CLR 3.5.30729) 

50215 Firefox'3.0.1 1 

fML, like Gecko) Chrome/1. ft. 154.53 Safari/525, 



iAr'iA.w,r 



I dim 



nlJVU II 



illa/5.0 (Windows; U; Windows NT 5.1 

fiilrtTill-n ft ftAiiiirlnuu-c- 1 1 - lAlimrlrbgm^ KIT ^ 1- on \K\ AnnlalAfrJiHit^n C lUU 



, like Gecko) Chrome. 2. 0.1 56.1 Safari -528.8 
en-HS) AppleWebKit.530.17 (KHTHL, like Gecko) Version ;4.0 Safari/530.17 



Mira ftar-Lnl r lirnm^ ft 17? 11 Q.Tfnri.^lO C 
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‘y i-‘ (j. 






0 E l_ I l_ IV-’d 



kl 

u 


Sort Ascending 
Sort Descending 






Fillers 


* 


j 

A— "V'i 






.■-4* Group By J 


► , 


tli 


Histogram 


► 1 


E 


Pivot Data 


k 




Histogram Grid 


E> 


m 


Show/Hide... 




m 


AutoFit Column Width 





Browser 

i RAP P/1 .5.0 MokiaH9G-1/1 20- SeriesOf 
Mozilla/4.0 (compatible; MSIE 5.0; Series?) 
Mozilla/4.0 MSIE 5.0; Sei ies?) 

Mozilla/4.0 (compatible; MSIE 5.0; SeriesOi 
Mozilla/4.0 (compatible; MSIE 0.0; Symbiai 
Mozilla/4.0 (compatible; klSIE 0.0; Symbiai 
Mozilla/4.0 (compatible; MSIE 0.0; Symbiai 
klozill s /4.0 (compatible; MSIE 0.0; Symbiai 
Mozilla/4.0 (compatible; MSIE 0.0; Symbiai 
Mozilki/5.0 (Symbian OS ,9. 2; U; Series50,-3. 
Mozilla/5.0 (Symbian OS ,9.2; U; Series50,-3. 
Ivlozill i 5.9 (SyinbianOS/9.2; U: SeriesSD/3 
Mozilla/5.0 (Symbian 05/9. 2; U; Series60/3 
P4 Mozilla/5.0 (Symbian 03/9. 2; 0; SeriesOO/S. 
Mozilla/5.0 (Symbian OS ,9. 2; U; Series50,-3. 
Ivlozill i 5.9 (SymbianOS/9.2; U: Series60.*3 
Mozilla/5.0 (Symbian OS .'9. 2; U; Series60/3. 
Mozilla/5.0 (Symbian OS , r 9. 2; U; SeriesOO,^. 
Mozilla/5.0 (Symbian OS ,9.2; 0; Series50,-3. 
Mozilla/5.0 (Symbian OS/9.2; U; Serie560/3z 
Mozilla/5.0 (Symbian OS. 1^.2; U: SeriesOO'3 
Mozilla/5.0 (SymbianOS/9.2; U; 3eries60,'3. 



>. . 1 -^;ii ,'et j-l / j>. u .pji ii . 






I Config u ratio n/CLD C-1 .1 



,•2.0 Nokia6030.-5.03 21 ProfileMDP 2.0 Configiiirati oil, CLDC- 1.1) 
2.0 Nokia9300.-4.53 ^rofileMlDP 2.0 C*onffiguratiQiiCLDC-l.l) 
■1_1 Nokia771 0/4.10 ) Profile MIDP-2.0 ConfigurationfCLDC-1.0) 
OS; Nokia N70/5.06: B.3.0.1 
OS; Nokia N7Q/5.071 5.3.0. 1 
OS; Nokia N70J5.Q7! 5.4.0. 1 
OS; Nokia N70J5.07: 7.3.0. 1 
OS; Nokia N70J5.07; 1.4.0. 1 



Nokia 5 7 00, >3.27; Pi rfilo/MIDP 2.0 Configuration CLDC- 1.1 ) AppleWebKit-413 (KHTML, 



Nokia 61 1 ONavigat 



NokiaES 1-1-200.34 
NokiaES 1-1, -'300.34 



If you have thousands of 
results, try to “Group By” 
to “dedupe” results 



Nokia 5 7 00/4.21; Pi rtile MIDP -2.0 Configuration CLDC- 1.1 ) A ppleWeb Kit/413 (KHTML, 

Nokia 5 7 00/5.1 1; Pijtfile MIDP -2.0 Configuration /CLDC- 1.1 ) A ppleWeb Kit/413 (KHTML, 

r.3.5®; Pi ofile.MIDP-2.0 ConfiguratiQii/CLDC-1.1 ) AppleWebKit/4 13 in.i-iimL, iikc secret ^aTarrmj 
Nokia 6 1 20c, -3.03; frofile MIDP 2.0 Configuration/CLDC-1.1 ) A ppleWeb Kit/4 13 (KHTML, like Gecko) Safari/413 

Nokia6120c/4.21; ofile MIDI " K (KHTML. like Gecko) Safari/4 13 

Nokia 6 1 20c/5.1 1; A ofile MIDI Watch f Of MobUG S (KHTML, like Gecko) Safari/4 13 

Nokia 6 1 20c, -5.01; F ofile-MIDI [3 fOWSefS! * < KH ™ L > ^ Gecko) Safari/413 

Hokia 6 I20C.-5.5 1; F ofile.-MIDPz.u coi iny ill anon, L-LUL- l. l ) AppiewouKll'4 13 (KHTML, like Gecko) Safari/4 13 

Nokia ESI -1/1 00.A. 20; Profile/MIDP-2.0 Configurate n/CLDC-1 .1 | Ap p I e|\J e b Kitf 4 1 3 (K HT M L, like Gecko) Safari/4 13 



36; Profile MIDP-2.0 Configuration CL DC- 1.1 ) AppleWeliKIt 413 (KHTML. I 
56; Profile MIDP 2.0 Configuration -CL DC 1.1 ) AppteWebKit/413 (KHTML, I 

j"t v . tl.- -tfvi-. mrir, "~l j~l _rv- . v-i i~Lr- m m i ji i.-.uj-i, j i v o vi/i itmi i 



ke Gecko) Safari/4 13 
ke Gecko) Safari/4 13 
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Forum Logins/PW 





Query Name: 




Justification: 



foreign jihadi web forum users 
±u gins p a s si.in r ds 



Additional Justification: 



Miranda Number: 



Datetime: 



2 Days 



Start: 



2009-07-13 







□0:00 


.a 


Stop: 



2009-07-15 3 



23:5' 



User Name: 



Password 



Domain: 



* moqawmh.com or * al-shouraa.com or*alhun 



IP Address: 



IP Address: 



Port 



Port; 





From 


v 






To 


v- 






From 


V 






To 


V 



Country; 


!LJ3 AND !GB AND !CA AND !NZ AND !AU 


'V r 


From v 




Foreign © 
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! ■ ll I'P'- 



f < . 




. sjjtti 

■Jf* . 0-1 1 



I ■ •’ mS’ 



TOP SEGRET//GOMINT//REL TO USA, AUS, CAN, GBR, NZL 



loo t loan i 

c^ae ea ifl* ins 



lOt DfjOiXBI - 10 - 10 BG 1.Q? lim e 
&I IB.1SJICI. jjjB jy ™ ECO ! s 





Datetime 


Case Notation 


From IP 


To IP 




2009-07-15 11:27:11 



IRS 102 1A 



(Zlr^n) 



207. 




(■ Uriited States) 



From Port To Por 
9253 SO 



Session 



[Header (3) Meta "11) Attachments (19) 



AUTO 



Quick Clicks << 

?j£ Session ^ 

Attachments 
3 f unknown 
3 ? text 

embedded_base6 
embedded_base6 
embedded_base6 
emb9dd9d_baso6 
embedded_base6 
unknown_500w-VA 
embedded_ba5eb 
embedded_base6 
embedded_ba£e6 
embedded_base6 
emb9dd9d_bas96 
embedded_base6 
embedded_base6 
embedded_ba:se6 
embedded_base6 
emb9dd9d_bas9b 
embedded_baseS — 
embedded_base6 
embedded bases 



1> 



1> 

* 

■7 

« 

e 






i 

r 

* 

m 



1> 



9 

c 

y 



pm 



G n e -C I i ck S e a rch e s 



Find opposite side of se 

92 925: 

2°7 ■hhi 

■— 1 i ■■ 1 ■ 



j -IM 






L 



Ente r text to search 



AUTO FORMATTER: app_id= mail/webmail/vbulletin Viower= DM I_PRESENTER formatter. Info= 



^ Display Information: H I T P -P O ST/ F o rm -D ata 



ss 



UIS Web F orm Display 



Form Fields 



seciuitv loksrc 
do 



url 



addmember 
ttirr* 



4 



11 l|_r , Yr .1 Vv <J,:111Y clilV ■ i_ri l UI l mi;:. 1 l VI . j.rujy = HU 1 V 



tnrrilTn^ 



Tvr 



agree 1 

pas swoid_mcl5 
p as s wordc onfimi_ni d5 
day 0 

month Q 



year 

username 
password 
pas swordconfinii 

eni-nil 



eniailc oiifiim 
image stamp 
imaeehash 




ioo.com 
|@vaho o . com 

(1382 qy 

b976 eS497b5 a4 aee43 a49 a d2P 699 5 Se 1 
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T S ssions 





■ FTP Sessions in XKS 

■ Ideotifpng^Browers t « .* 

■ Web Forum Logins / Passwords 
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Masquerade as user and read mail 



Useful, but secondary to.... 



Potentially use Login/PW to get full access 
to web server itself 

Port 80 is useful, but.... 

Port 3000 has XDaemon traffic (woo hoo! Let’s 
take a look) 
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□ li st if i cation: 



Targeting foreign-based 
(non-5EYES) Iranian 
government webmail 
users 



Users in and 
out of Iran 




ion: 



Der: 



Tie 



1 Week 



Start: 









20Cig-07-08 


L _ 


□0:C 










Country: 
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0 iSi'iriifl 
iq: in 

, . MFjfira m , r 

10 , G ‘2 fii lLi • 
1 S ■flffljP 



X-KEYSCORE C2C Session Viewer 




session 




2009-07-13 11:54:00 



193 



(I I Guinea) 



217, 



Iran) 



50423 



30 



TCP 



Sesscan 



Header (3) Meta ( 6 ) 






AUTO 



3uick Clicks 



<< 



One -Click Searches 



Session 

riKI 

d Find opposite side of sess 
1 9 3 5 0 

SC 

d Find traffic on 

217^fHm 

d Find application 

http /p re x y _tc _5 e r v e r/s 
d Find proxy hash 
c03a567a 

d Find x-ferwarded-fer IP 



193 








Enter tetfto search 



AUTO FORMATTER: app_id= http/proKy_to_server/squid_proKy Viewer= DNI_PRES ENTER fc matter, Infc= 



^Display Information: HTTP -GET 



R send to A a i 0 it v Rea 



GET /load_usei's.php HTTP/1.0 

Ac c ept: ima ge / gif, ima g e/ x-xbitmap , ima ge/jp eg, nil a ge /pjp e g, applic aiioii/x- slio ckwa ve - fla sli, 

ap pile a tion/viid . ms -p owe ip o int, applic a tion/vnd. u is - exc el, applic a tioii/ms wor cl 5 *l 2[ : 

Re ferei? 1 ittp :/. '/wvis a . mfa . gov. ir/lo gotopus e r. php 

Ac c ept-La ligua ge : fa 

Ac c ept-Enc o ding: gzip , de fla te 

User- Agent: Mozilla/4.0 (compatible: MSIE 6.0: Windows NT 5.1: SV1) 

Ho s t: wvis a . mfa . gov. ir 

Cookie: azhaus name=--- 



azlians user= 



azlians pass= 



azliai l e ma t=n s er 
user=THR 
username— --- 
place=deleted 
famil=deleted 

utma=23 8 13 5644.23 009S1 863224871400. 123 9S74722. 124325 5420. 11G768574S. 4 

utmz=2 3 8 1 3 5 644 . 1 1 0768 5 748 . 4 . 4 . utmc si^fardane w s . c om|utxnc ci i=(r e fenral) | uhi icmcl=re 



feir al|utmc c t=/ fa/p a ge s/links . plip 

Via] 1.1 centi’emounamtemet-cache.coiii:3128 (squid/2.6.STAELE16) 

X-F orwarcle d-F o r : 1 S>3 , 















og 





More webmail examples 
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-i 

■ _ ■ a 



e 



users 



Search: Logins and Passwords 



Query N^me: 








Justifi cation : 




Additional Justification : 



Miranda Number: 



Datetime : 



Custom 



Start ; 



2009 - 07-12 [ 3 



21:00 



v p 



Stop ; 



2009 - 07-15 



User Name: 



Password : 



Domain : 



IP Address: 



From ^ 



IP Address: 




To 



Port: 



From 



Port: 



80 or 3008 



To 



Country : 



CN 







From 


■V 
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Quick Clicks 



Session 

3 Atta chme nts 
3 ? unknown 

3 ? te5t 

? unknown_ 621 .x-ww 



3 



One-click searches 



Find opposite side of sess 
6L^^^HlG445 -> 

2 00 

Find traffic on 





2QQ 

Find application 

h ttp/p o sty Ik - w w w-form- 



AUTO FORMATTER: app_id= http/post/x-wwMAP-form-urlen coded Vie.w.er= DNI_P RE 5ENTER formatter. Info 



TOP SECRET// COMINT /720320 108 







1 ID: sees Prig prcc 


Document type: HTTF 




Display 

l> Document Ira^o 


Fiavy' Data 


CCDF 


fmatmig rile 


m Exoand all 



v C sntants (i) 



File name 

S htrnS 



Form Fields 



^ Display Lij^ S r m at} q n : : HT FF 




eb Form 



Form Fields 



User 

Password 

Lo^on Autofimia 





P a s sword 





0 Ex c and ai 



ile size 


Attachments 


9V 


0 



Send to A 
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!».'■! (V -‘1 

U fliiTIff EL hr 

» ei i‘i.r" 
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' fm 



L iJI 



Search: Logins and Passwords 



Query Name: 





Justification : 




Additional Justification 



Miranda Number: 



Datetime : 



Custom 


-v 1 


Start: 


2009 - 07-12 


C3 




21:00 


V 


Stop : 



2DC 



User Name 



Password : 



Domain : 



26 .com 



IP A d d re 5 s : 



IP A d d re s s : 



Port : 



Port: 



Country : 







From 


-v- 










To 












From 












To 


■w 








CN ^ 


From ^ 
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Datetime 


Case Notation 


From IP 


To IP 


From Port 


To Pod 


2009-07-15 07:53:19 


- 1 . - . ■ ' 


10,34,35,45 (QP Private Address) 




China) 


2745 


80 



Session 



Header :;A) Meta (V) Attachments (1) 






AUTO 






,1 ,1 




Enter text to search 



Quick Clicks 



!«l 



Session 

d ^Attachments 
dl f unknown 
d ? text 

? unkriown_395,x-ww 

a# 

dl 



One -Click Searches 



dl 

d 



Find opposite side of sess 
10.34.35.4-5: 2745 -> 

61 8 £ 
Find traffic onB 
51. | 

10.34.35.45 
Find application 

mail/webm ail/co re mail 
Find email address 




AUTO FORMATTER: app_id= mail/webmail/coremail Viewer= DNI_PRESENTER formatter. Info= 



^ Document I nf o rm ation: File 



^ Contents (1) 



File name 

L =j htrnl 



File type 

HTTP-POST/Form-Data 



v Display E nfo rm ation: HTTP-P O S I / F g rm ~D ata 



UIS Web Form Display 



Form Fields 



domain 126 .com 
language 0 
b Cookie 

username 16 com 



savel 



CKlll 



user 



pas swore 




style -I 

-enter.x jllCj i A V4 



File size 

138 



m Expar 



SExfijj 



Attachment 



^ Seri 
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Ml 



14 :B iyn>_~i ~ 




TOP SECRET//COMINT//REL TO USA, AUS, CAN, 

□s i-n ;t - , .... 



GBR, NZL 





Datetims Case Notation From IP To IP From Port To Port 


2009-07-13 07:27:18 . /"''CV- SCOC:™-- 32 fE United Arab Emirates} 79 Iran) 32227 80 


Session 


Header (3) Meta (7) 


Attachments (1) 




AUTO 


V i i Uil * H M 1 I bM\am Enter text to search 


Quick Clicks 


AUTO FORMATTER: app_id= mail/iwebmail/vbulletin Viewer= DNI_PRESENTER formatter, Info= 


L'C Session 





d Attachment s 
J t unknown 
B 7 text 

? u n k n o w n_4Q 2 . x - w w 

&SK 

j 



One-Click Searches 



Find opposite side of sess 

22 3222 7 

1 9 8 C 

Find t raffic on 
79 
B2 1 

Find application 

m ail/web mail/vbu II etin 




: sess_Grig_proc Document type: HTTP-POST/Form-Data 



UIS Web F orm Display 



Form Fields 



username 

passwd 

Submit 

option 

task 

return 




J 3 J3 



comuser 
login 

L 21 ivbmiuaHRtbA= 
1 dfabb 339 f 736 fbfa 3 2843 e 9 ebf 36 b 52 1 



Display Raw Data CCDF 


► Document Information: File 




FI Exoanc 


t Contents (1) 




FI Exoanc 


Filename Filetvoe 


File size 


Attachments 


® html HTTP- POST /Fo rm-Data 


158 


0 


^ Display I nfo rm ati o n : HTTP - P O ST/7o rrn -D ata 




Q> Sent 
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Web Servers run particular software 



■ E.g. Apache, Microsoft IIS, Unix, et... 
TAO has exploits for particular ones 
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This targets Jihadi web forums for their 
Server information 




Query Name: 




Justification: 




Additional Justification 



Miranda Number: 









Datetime: 


3 Days v Start: 2009-07-12 J 00:00 


£ Stop: 2009-07- 













HTTP Type: 



Host: 



response 



*m oqawmh.com or *al- shouraa.com or*alhur 



11 



Country; 



I US AND IGB AND ICA AND !NZ AND !AU 


V 




To 











[ Populate . — — 



i 
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query to find server inf 



Search: HTTP Activity 



Query Name: 



Justification 



Additional Justification 



Miranda Number; 



Datetime: 



HTTP Type: 



±r_“ rtioj_s T.ieln servers 




This is the network to 
which I’m trying to gain 
access (IR MOIS). 



Custom 



Start: 



response 



IP Address: 



regex: 87V 247V 1 6[Q-3]Y [8-255] 




Country: 



!US AND !GB AND !CA AND !NZ AND !AU 



To 
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In the HTTP Activity results, you see the 
servers listed 



Server Type G 

Apache.2.2.11 {Unix} PHPM.4.7 witli Suhosiii-Potcli mocl_$sl.2.2.1 1 OpenSSL/O.9 

fl|iache.f2.2.1 1 (Unix) PHP.-5.2.6 vufiTli Suliosin-Pfrtclt mocl_sslJ2.2.1 1 O|WiiSSL.0J 
Apache 2.2. 11 (Unix) PHP/5.2.8 

Apache.2.2.1 1 (Unix) PHP/5.2.8 uwiTh Sniliosiii-Patcli mocl_ssl.2.2.1 1 OpenSSL/O.S* 
Apache.2.2.11 (Unix) PHP/5.2.9 

Apache.2.2.11 (Win32) DAV.2 mod_ssU2.2.11 O|jeiiSSL/0.9.8i mocl_autoiiHlex_cc 
Apache2.2.2 (Unix) 

Apache 2.2. 3 (CeirtOS) 

Apache 2.2.3 (Dehiaii) DAV.2 inac1_perP2.0.2 PerLvSJ.8 

JimaLaJa n il l j _Ea-aLi -=* * _a i~n iri it -rt j-i-fL -t iimLj -HaLaia 
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Many times when we task TAO we have 
back/forth conversations about how to 



exploit the target. These slides should help 
you find the things that TAO needs from S2 
Analysts. It’s difficult to cover all of the 
examples of how XKS can help, but this is 
a good start.. 



Good luck. 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 







